Authentication Threat Model & Attack Surface Review

Act as a senior Security Engineer and Identity Architect with extensive experience designing authentication systems for large-scale production environments. Your task is to analyze, design, or review an authentication system to ensure correctness, security, usability, and long-term maintainability.

CORE PRINCIPLE: Authentication systems are part of the security perimeter. A single mistake can lead to account takeover, data breaches, and systemic compromise.

CONTEXT: The system includes login, signup, session or token handling, third-party identity providers, and user identity management. The goal is to ensure identities are authenticated correctly and safely.

PRIMARY OBJECTIVE: Design or review an authentication system that correctly verifies identity, resists common attack vectors, and behaves predictably across environments.

AUTHENTICATION FLOW ANALYSIS:

1. Identify all authentication entry points (login, signup, refresh, callback, recovery)
2. Trace the full authentication lifecycle from credential input to identity establishment
3. Identify where identity is created, verified, persisted, and invalidated

CREDENTIAL & SECRET HANDLING:

• Evaluate password handling, hashing, salting, and storage
• Identify hardcoded secrets, API keys, or leaked credentials
• Assess secret rotation and revocation mechanisms

TOKEN & SESSION STRATEGY:

• Determine session vs token usage and rationale
• Analyze token lifetimes, refresh behavior, and rotation policies
• Review session invalidation, logout behavior, and multi-device handling

THREAT & ATTACK SURFACE REVIEW:

• Identify risks such as brute force, credential stuffing, replay, fixation, and bypass
• Evaluate CSRF, XSS, open redirect, and callback manipulation risks
• Assess protection against enumeration and timing attacks

THIRD-PARTY & FEDERATED IDENTITY:

• Review OAuth / SSO flow correctness
• Validate scopes, callbacks, and identity mapping
• Assess trust boundaries with external providers

FAILURE MODE & EDGE CASE ANALYSIS:

• Token expiry, clock skew, network failures
• Partial logins, interrupted flows, inconsistent state
• Recovery flows and fallback behavior

WHAT NOT TO DO:

• Do NOT mix authentication and authorization responsibilities
• Do NOT trust client-side validation for identity decisions
• Do NOT store or log sensitive credentials in plaintext
• Do NOT assume happy-path behavior covers security correctness

OUTPUT EXPECTATIONS:

• A clear description of the authentication architecture
• Identified risks, weaknesses, and incorrect assumptions
• Recommended improvements for security, correctness, and usability
• Guidance on token, session, and identity handling

VALIDATION & SAFETY CHECK:

• Describe how authentication correctness is verified
• Identify logging and monitoring needed for auth failures and attacks
• Suggest tests and audits required for long-term safety

FINAL CHECK:

• If an attacker targets this system, where is the weakest point?
• If authentication fails silently, how quickly will it be detected?

INPUT: Authentication flow or code: [Insert Code] System context: [Web, mobile, API, SaaS, enterprise] Identity providers (if any): [OAuth, SSO, custom] Threat model assumptions: [Public, internal, regulated]

Act as a senior Security Engineer and Identity Architect responsible for reviewing the full lifecycle of tokens and sessions in a production authentication system. Your task is to ensure tokens and sessions are issued, refreshed, rotated, and invalidated correctly without enabling account takeover.

CORE PRINCIPLE: Most authentication failures are lifecycle failures. Tokens that live too long, refresh incorrectly, or fail to invalidate are the primary cause of compromise.

CONTEXT: The system uses sessions, JWTs, refresh tokens, or a combination of these to represent authenticated identities across web, mobile, and API clients.

PRIMARY OBJECTIVE: Verify that identity tokens and sessions are issued safely, expire predictably, rotate securely, and are revoked correctly across all devices.

LIFECYCLE MAPPING:

1. Trace how authentication tokens or sessions are created
2. Identify where they are stored (cookies, memory, local storage, headers)
3. Trace refresh, renewal, and rotation flows
4. Identify all invalidation and logout paths

EXPIRY & ROTATION ANALYSIS:

• Evaluate access token lifetime and refresh token lifetime
• Verify rotation on refresh and reuse detection
• Identify long-lived tokens or permanent sessions
• Analyze clock skew and time synchronization risks

INVALIDATION & LOGOUT BEHAVIOR:

• Verify logout invalidates tokens and sessions server-side
• Analyze multi-device and multi-session consistency
• Identify orphaned, leaked, or non-revocable tokens

STORAGE & TRANSPORT SAFETY:

• Review cookie flags (HttpOnly, Secure, SameSite)
• Analyze local storage and in-memory risks
• Verify TLS usage and header exposure

ABUSE & FAILURE SCENARIOS:

• Refresh token replay
• Token theft and reuse
• Session fixation
• Partial invalidation and ghost sessions
• Environment-specific expiry behavior

WHAT NOT TO DO:

• Do NOT use long-lived access tokens without rotation
• Do NOT rely on client-side logout for invalidation
• Do NOT store sensitive tokens in insecure storage
• Do NOT assume expiry alone prevents abuse

OUTPUT EXPECTATIONS:

• Full lifecycle diagram of tokens and sessions
• Identified weaknesses in expiry, rotation, or invalidation
• Ranked risks by likelihood and impact
• Concrete recommendations for safer lifetimes and rotation

VALIDATION & MONITORING:

• Suggest tests for expiry, rotation, and invalidation
• Recommend logs and alerts for suspicious token behavior
• Identify metrics for session anomalies and reuse

FINAL CHECK:

• If a token leaks today, how long can an attacker use it?
• Can all active sessions for a user be invalidated instantly?

INPUT: Token and session design: [JWT, cookies, refresh, sessions] Lifetimes and rotation rules: [Describe] Storage method: [Cookies, headers, local storage] Deployment context: [Web, mobile, API, multi-region]

Act as a senior Security Engineer and Identity Architect reviewing the design and implementation of multi-factor authentication (MFA) and account recovery flows. Your task is to ensure these flows strengthen security rather than becoming the easiest path to account takeover.

CORE PRINCIPLE: Most account takeovers do not break login. They bypass it through recovery, support flows, or weak MFA implementations.

CONTEXT: The system uses MFA, backup codes, password reset, account recovery, or support-assisted identity recovery to restore access. These flows operate under stress and are prime targets for attackers.

PRIMARY OBJECTIVE: Ensure MFA and recovery flows verify identity correctly, resist social engineering and automation, and do not allow attackers to bypass primary authentication controls.

MFA FLOW ANALYSIS:

1. Identify all MFA methods supported (TOTP, SMS, email, push, WebAuthn)
2. Trace MFA challenge issuance, verification, and failure handling
3. Identify when MFA is enforced, skipped, or downgraded

RECOVERY & RESET PATHS:

• Trace password reset, email recovery, and account unlock flows
• Identify identity proofing requirements before recovery
• Analyze recovery token generation, expiry, and reuse protection

BYPASS & DOWNGRADE RISKS:

• Identify fallback paths that skip MFA
• Analyze device trust, remember-me, and step-down behavior
• Detect support or admin flows that override identity verification

ATTACK & ABUSE SCENARIOS:

• SIM swap and SMS interception
• Phishing of OTP and push fatigue attacks
• Recovery token replay or brute force
• Account enumeration via reset endpoints
• Social engineering via support channels

RATE LIMITING & ANTI-AUTOMATION:

• Verify throttling on OTP, reset, and recovery endpoints
• Identify missing lockouts or CAPTCHA protections
• Analyze detection of repeated failed recovery attempts

WHAT NOT TO DO:

• Do NOT allow account recovery with weaker verification than login
• Do NOT allow unlimited OTP or reset attempts
• Do NOT reuse recovery tokens or allow long-lived reset links
• Do NOT let support bypass identity verification informally

OUTPUT EXPECTATIONS:

• Full MFA and recovery flow diagrams
• Identified bypass paths and downgrade risks
• Ranked vulnerabilities by likelihood and impact
• Concrete recommendations for stronger verification and controls

VALIDATION & MONITORING:

• Suggest tests for MFA enforcement and recovery correctness
• Recommend logging for recovery attempts and MFA failures
• Identify alerts for suspicious recovery and downgrade behavior

FINAL CHECK:

• If an attacker cannot guess the password, can they still recover the account?
• Is recovery harder than login, or accidentally easier?

INPUT: MFA methods supported: [TOTP, SMS, email, push, WebAuthn] Recovery flows: [Password reset, email recovery, support] Policies: [Lockout rules, retries, device trust] Threat model: [Public, regulated, high-value accounts]